At 10:40 PM 2/21/2005 -0500, Stuart Gathman wrote:
On Mon, 21 Feb 2005, David MacQuigg wrote:
> 5) Bounces and rejects must go back the path they came, not to some
header
> address that might be forged.
Unless the IP gets an SPF PASS, the only way to do that is to issue an SMTP
REJECT.
If the IP address is recorded in a header, then a bounce could be sent even
*after* the SMTP session is closed. Seems to me that an ability to relay a
delayed bounce may be an unavoidable requirement if forwarders are going to
participate in an IP-authenticated transfer.
> Here is my proposed new header to meet these requirements:
>
> Authenticate: SPF1 [<IP Address>] <senders-domain> PASS
What is wrong with the header already defined? Here is the last two PASSes
from my log for example:
Received-SPF: pass (mail.bmsi.com: guessing: domain of fifthwater.com
designates 193.28.182.113 as permitted sender)
client-ip=193.28.182.113;
envelope-from=Francina_Mickel(_at_)fifthwater(_dot_)com;
helo=fifthwater.com;
Received-SPF: pass (mail.bmsi.com: domain of mx6.rambler.ru
designates 81.19.66.150 as permitted sender)
client-ip=81.19.66.150;
envelope-from=postmaster(_at_)mx6(_dot_)rambler(_dot_)ru;
helo=mx6.rambler.ru;
and here is a NEUTRAL:
Received-SPF: neutral (mail.bmsi.com: guessing: 202.47.165.130 is neither
permitted nor denied by domain of MTS_PDC.drbhicom.com.my)
The problem with these headers seems to be that nobody likes them :>(
certainly not the SenderID folks, but surprisingly not even
pobox.com Remember, we are talking social engineering not technical
capability. Imagine you are an advocate of SenderID.
The downside of this lack of cooperation is that every MTA will have to
fully implement the interpretation of headers from every protocol, because
some forwarders will use Received-SPF, and others will use PRA. Take a
look at today's post by Mark "SPF-socketmapd". Quoting from Mark:
"""
It saddens me that it had to come to this; but, unless you use a Milter
again (which we really want to avoid), there is simply no other way to
have sendmail accept a duplicate Received-SPF header (at least not until
such time that sendmail.org considers Received-SPF an accepted
trace-header; maybe when SPF becomes 'official'?).
"""
We could have had a standard 8 months ago! How much longer should we wait
for SPF to become "official"?
-- Dave
************************************************************* *
* David MacQuigg, PhD * email: dmq at gain.com * *
* IC Design Engineer * phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* * 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. * Tucson, Arizona 85710 *
************************************************************* *
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Read the whitepaper! http://spf.pobox.com/whitepaper.pdf
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com